DECNET/rules/ttp/R0054.yaml

rule_id: R0054
rule_version: 1
name: abuseipdb_category
description: |
  AbuseIPDB category → ATT&CK technique mapping per Appendix A.10.
  IntelLifter reads AttackerIntel.abuseipdb_categories and emits
  one tag per matching category code.
applies_to:
  - intel
match:
  kind: lifter:intel_abuseipdb
  provider: abuseipdb
emits:
  - tactic: TA0006
    technique_id: T1110
    confidence: 0.7
  - tactic: TA0001
    technique_id: T1190
    confidence: 0.7
  - tactic: TA0001
    technique_id: T1566
    confidence: 0.7
evidence_fields:
  - abuseipdb_categories
  - abuse_confidence_score